Claus Stellwag (Elektrobit), Thorsten Rosenthal
(Delphi), Swapnil Gandhi (Delphi)
March 2013 – WICERT
RECOMP is made possible by funding from
the ARTEMIS Joint Undertaking.
Goal: Reduce costs of mixed-critical systems
3/22/2013
2
Hardware: Meridian Board
 Development board for the





Trusted Computing Platform
Supports all relevant bus
systems (CAN, FlexRay, SPI,
Ethernet)
Lot of I/O pins
Contains Multicore AURIX
controller in FPGA
External SRAM as flash
emulation
Debugging via JTEG or USB
Source: http://www.recomp.eu/meridian/downloads/Meridian_Datasheet.pdf
3/22/2013
3
MCU Architecture: AURIX TC27x
Note: Used
FPGA based
board has only
2 instead of 3
cores
Source: http://www.infineon.com/dgdl/TriCore_Family-br-2013.pdf?folderId=db3a304412b407950112b409ae660342&fileId=db3a30431f848401011fc664882a7648
3/22/2013
4
AUTOSAR Overview
 AUTOSAR = Basic Software + Methodology + Application
Interfaces
 AUTOSAR R4.0 building blocks:
 Applications (SoftWare Components - SWC)
 OS
 Run-Time Environment (RTE)
 Basic SoftWare (BSW):
 System Services (e.g. Ecu Manager, Watchdog Manager)
 (Non-volatile-)Memory stack
 Communication stack
 Diagnostic modules
 Microcontroller abstraction layer (MCAL)
 Complex Device Drivers (CDD)
3/22/2013
5
AUTOSAR R4.0 + Multicore +Safety
ASIL SW
Core0
SWC
SWC
Core1
SWC
SWC
SWC
SWC
QM SW
RTE
BSW
CDD
OS
MCU
3/22/2013
6
RECOMP: Automotive Cluster
3/22/2013
7
Delphi ASIL D Application: ESCL (Electrical
Steering Column Lock)
M
3/22/2013
8
ESCL: Safety Goals
ESCL Risks
ESCL safety goals
• Risk 1:
Unintended
locking while
vehicle is in
motion ASIL
D
• Risk 1  Goal 1:
Unintended
locking while
vehicle is in
motion shall be
prevented
• Risk 2: Moving
from rest with
locked ESCL 
ASIL B
• Risk 2  Goal
2: Starting and
rolling of vehicle
with locked
ESCL shall be
prevented
3/22/2013
ESCL Safe states
• Safe State 1 (for
safety goal 1)
• ESCL is unlocked,
not power
supplied and
locking functions
is deactivated
• Safe State 2 (for
safety goal 2)
• No engine start in
case the SCL was
not successfully
unlocked
• Abort of start
sequence / shut
off of engine if
ESCL power
supply was not
switched off after
engine was
started
9
Building Blocks of ESCL
 ESCL Module 1: Power supply for ESCL if locking
conditions fulfilled
 ESCL Module 2: Locking command to ESCL if locking
conditions fulfilled
 Power Mode Manager (PMM): Takes care about poweroff, sleep and other power related topics
 Driver Info: Supports info to driver of vehicle
 Other QM components
3/22/2013
10
Approach 1 : Cross Monitoring
ASIL SW
Core0
ESCL1
Core1
ESCL2
PMM
QM SW
RTE
RTE
OS
BSW
Driver
Info
C2C
BSW
OS
MCU
3/22/2013
11
Approach 2: AUTOSAR MultiCore
ASIL SW
Core0
ESCL1
Core1
PMM
ESCL2
QM SW
Driver
Info
RTE
BSW
OS
MCU
3/22/2013
12
Approach 3 : Isolated ESCL
ASIL SW
Core0
ESCL1
ESCL2
Core1
PMM
Driver
Info
SWC
QM SW
RTE
RTE
OS
BSW
C2C
BSW
OS
MCU
3/22/2013
13
Details of Implementation
 Each core run its own application (with a separate ELF
image). There is no hard reference between the SW
 This allows SW updates on the core running the legacy / QM parts
without impact on the ASIL cores
 The hardware supports the approach by
 dedicated core local memory
 de-central access control to shared peripherals
 Core2Core Communication (C2C) allows exchange of data
between cores. Special care has been taken that the C2C does
not impact safety part (e.g. lock-free mechanism for
communication buffers)
3/22/2013
14
Summary: Pros & Cons
Pro
 Clear isolation simplifies design (safety is concentrated on dedicated
core(s) – freedom from interference can be easier shown)
 Divide and conquer principle eases handling of growing complexity
 Legacy code needs less adoption (constraints from single core are
preserved)
 Less interaction between cores; No additional SW layers needed 
better utilization of existing multicore performance
Contra
 Requires more memory
 Requires specific hardware features of the microcontroller
3/22/2013
15
Questions ?
3/22/2013
16